CVE-2026-2257: CWE-639 Authorization Bypass Through User-Controlled Key in roxnor GetGenie – AI Content Writer with Keyword Research & SEO Tracking Tools
The GetGenie plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.2 due to missing validation on a user controlled key in the `action` function. This makes it possible for authenticated attackers, with Author-level access and above, to update post metadata for arbitrary posts. Combined with a lack of input sanitization, this leads to Stored Cross-Site Scripting when a higher-privileged user (such as an Administrator) views the affected post's "Competitor" tab in the GetGenie sidebar.
AI Analysis
Technical Summary
The GetGenie plugin for WordPress suffers from an Insecure Direct Object Reference vulnerability (CWE-639) caused by missing validation on a user-controlled key in the action function. This flaw enables authenticated users with Author-level access or above to modify post metadata arbitrarily. Additionally, because input is not sanitized, this can lead to stored cross-site scripting when higher-privileged users view the affected post's Competitor tab in the plugin sidebar. The vulnerability affects all versions up to and including 4.3.2. No official patch or remediation information is provided in the available data.
Potential Impact
An attacker with Author-level privileges can exploit this vulnerability to alter metadata of any post, potentially injecting malicious scripts that trigger stored XSS when viewed by Administrators. This can lead to privilege escalation or session hijacking risks through the stored XSS vector. The confidentiality and integrity of post metadata are compromised, but availability is not impacted. The CVSS score of 6.4 reflects a medium impact on confidentiality and integrity with no impact on availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict Author-level access to trusted users only and monitor for suspicious activity related to post metadata changes. Avoid viewing the Competitor tab in GetGenie sidebar for posts that may have been manipulated by lower-privileged users. Follow up with the vendor for updates on patches or official mitigations.
CVE-2026-2257: CWE-639 Authorization Bypass Through User-Controlled Key in roxnor GetGenie – AI Content Writer with Keyword Research & SEO Tracking Tools
Description
The GetGenie plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.2 due to missing validation on a user controlled key in the `action` function. This makes it possible for authenticated attackers, with Author-level access and above, to update post metadata for arbitrary posts. Combined with a lack of input sanitization, this leads to Stored Cross-Site Scripting when a higher-privileged user (such as an Administrator) views the affected post's "Competitor" tab in the GetGenie sidebar.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The GetGenie plugin for WordPress suffers from an Insecure Direct Object Reference vulnerability (CWE-639) caused by missing validation on a user-controlled key in the action function. This flaw enables authenticated users with Author-level access or above to modify post metadata arbitrarily. Additionally, because input is not sanitized, this can lead to stored cross-site scripting when higher-privileged users view the affected post's Competitor tab in the plugin sidebar. The vulnerability affects all versions up to and including 4.3.2. No official patch or remediation information is provided in the available data.
Potential Impact
An attacker with Author-level privileges can exploit this vulnerability to alter metadata of any post, potentially injecting malicious scripts that trigger stored XSS when viewed by Administrators. This can lead to privilege escalation or session hijacking risks through the stored XSS vector. The confidentiality and integrity of post metadata are compromised, but availability is not impacted. The CVSS score of 6.4 reflects a medium impact on confidentiality and integrity with no impact on availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict Author-level access to trusted users only and monitor for suspicious activity related to post metadata changes. Avoid viewing the Competitor tab in GetGenie sidebar for posts that may have been manipulated by lower-privileged users. Follow up with the vendor for updates on patches or official mitigations.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-02-09T15:32:20.261Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69b3ceae2f860ef943b3112c
Added to database: 3/13/2026, 8:45:34 AM
Last enriched: 4/9/2026, 10:03:25 PM
Last updated: 4/28/2026, 7:24:49 AM
Views: 89
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.